Apple, Google, Facebook Get More Senate Scrutiny Over Mobile Privacy

Representatives from Facebook, Apple, Google, and the Federal Trade Commission testified on Thursday before the Senate’s Consumer Protection, Product Safety and Insurance Subcommittee concerning privacy issues on mobile devices. The hearing follows questioning of both Apple and Google last week before the Senate Judiciary Subcommittee on Privacy, Technology and the Law concerning recent public revelations relating to location data collection and storage.

[partner id=”arstechnica”]Testifying was director of the FTC’s Bureau of Consumer Protection David Vladeck, Facebook CTO Bret Taylor, Apple VP of worldwide affairs Catherine Novelli, and Google director of public policy Alan Davidson. These four were joined by the executive director of the Association for Competitive Technology Morgan Reed and the COO of Common Sense Media Amy Shenkan. The hearing was convened by Subcommittee Chairmen Sen. Jay Rockefeller (D-WV) and Sen. Mark Pryor (D-AR) to understand what role the government could and should play in establishing a legislative standard to protect consumer privacy in an age where mobile devices can collect and transmit massive amounts of personal information.

A recurring theme throughout the hearing was that the benefits offered from mobile devices, location services, and behavioral tracking shouldn’t be eliminated or erased. Rather, those benefits shouldn’t come at the compromise of consumer privacy or an individual’s choice.

Sen. John Kerry (D-MA) argued that the problem isn’t just smartphones using location data. “While this hearing is principally about mobile phones and apps, its also important to put the mobile phone and app in context of the larger discussion about privacy in general,” he said. Just shutting off location services isn’t a solution — location services have benefits that we want, but platform vendors, app developers, and network operators need to ensure basic privacy and clearly inform consumes of the risks involved.

Kerry emphatically opposed companies that have so far resisted regulation on the grounds that it will stifle the “internet economy.” “I reject the notion that privacy is the enemy of innovation,” Kerry said, noting that increasing consumer trust will encourage increased participation in more services. Kerry called for a comprehensive basic privacy standard that informs consumers of what information is being collected, why they are being tracked, and how that information is shared with third parties.

The FTC’s David Vladeck agreed that mobile devices offer enormous benefits to consumers as well as to entrepreneurs that build apps and services that run on the devices. But the always-available, always-on nature raises serious privacy concerns. Referring to the FTC’s recent report on privacy policy, Vladeck reiterated that services should include privacy by design, not as a afterthought tacked on to a system later.

In particular, Vladeck noted that the small screens of smartphones simply cannot convey verbose legalese of standard privacy policies. Disclosures need to be “bottom-line” and also “just in time,” or when consumers need to make a choice about sharing information.

During his testimony, Facebook CTO Bret Taylor described the Internet as transforming from a mostly static environment ten years ago to a dynamic experience fueled by social connections and sharing information. Given recent privacy issues with Facebook, however, it was hard not to chuckle a bit when he told the Subcommittee that “we understand that trust is the foundation of our services.” Taylor was quick to point out that everyone has a role to play in maintaining privacy, though, including users, service providers, third-party developers, and legislators.

Apple VP Catherine Novelli stated her company’s case very plainly, emphasizing Apple’s privacy policy, strict developer requirements, and extensive parental controls. She also confirmed a recent change in iAd policy that prevents ads from being served to apps that are primarily targeted at children, and does not allow apps that attempt to collect information from minors.

Sen Roy Blunt (R-MO) asked Novelli point blank if Apple tracked the location of his iPhone. “No,” she replied.

Novelli reiterated the company line that iOS devices have never tracked individuals, and that Apple does not collect any information that can be connected to an individual or their device. She also referenced the recent iOS update which limited the size and scope of the location cache and deleted it whenever location services were deactivated.

Google’s Alan Davidson said that 40 percent of all use of Google Maps comes from mobile devices like iPhones and Android handsets. Still, he agreed that those services won’t continue to be used if providers if consumers can’t trust the their privacy is being protected.

Sen John Thune (R-SD) noted that Google was recently under the FTC’s gun for inappropriate sharing of information between Gmail and its failed social networking service Buzz. Davison responded by noting that Google has since adopted a policy of always considering privacy first, and getting affirmative consent from users. Davidson also noted that Google has an agreement with FTC to have its privacy practices audited for the next 20 years.

Common Sense Media CCO Amy Shenkan was present to make sure Congress was thinking about the children. Shenkan cited a statistic that 85 percent of parents are more concerned about privacy online than they were five years ago. While her group can appreciate the Internet economy, it does not appreciate the “can’t do attitude” that companies can’t find a reasonable technological solution to protecting the privacy of children online. “They can do better—we know it, they know,” she said.

While she acknowledged that parents and service providers share a responsibility in protecting the privacy of children, Shenkan listed five main practices that should be legislated. First, “opt-in” should be the industry standard for information collection and sharing. There should be clear and transparent policy. There should be absolutely no behavioral tracking of minors. There must be an increase in education and awareness of privacy for both kids and parents. And finally, kids and parents should have a mechanism to easily and safely delete inappropriate information that ends up online.

Those practices in general sounds good for everyone, but Sen. Blunt was particularly interested in Shenkan’s last point about “protecting kids from permanent damage” by facilitating a way to remove information that is posted online either by another party or through a child’s own naïveté. “How do you do that if someone else has already seen and captured that data?” he asked. “I don’t think we can do anything; I don’t think there’s a fence that would could build high enough to keep that from happening,” he said.